I was going to write about egress filtering on an Internet Router but something occurred today that I had to write about.
Remember the old adage the dog ate my homework? I can say today the dog ate my thumb drive. Playing golf today I received a panicked phone call from my wife informing me one of my dogs ate my thumb drive! Now I admit I use my thumb drive more for file transfer than file storage, I learned that lesson a long time ago, so nothing critical was on the drive.
When I got home I looked at the USB drive and it was crushed on one side of the interface. Since I knew the thumb drive contained nothing critical I decided to attempt to "repair" the drive.
With nothing to lose and subscribing to the theory you can save the world with a leatherman and duct tape I started my thumb drive repair. Using the leatherman's many devices I very carefully bent the USB interface back into its normal rectangular shape.
Reviewing the work of the leatherman and myself and being very proud of it, I plugged the drive into my Mac and waited. I opened up Finder and Success! Finder saw the drive and I successfully browse the drive. Looking over the data on the thumb drive, I was correct in nothing would have been lost, thankfully.
So the moral of the story is if your dog does eat your thumb drive, get a leatherman and ever so carefully repair the drive! Next week I will discuss egress filtering on the Internet router.
Sunday, February 28, 2010
Sunday, February 21, 2010
Internet Network Filtering part 1
The architecture for connecting organizations to the Internet typically comes in two flavors. The first architecture consist of a single device, usually a router but sometimes a firewall. The second architecture consist of multiple devices, typically a router and a firewall. No matter what architecture is chosen it is important the proper filtering is implemented. This is the first in a series discussing the implementation of proper filtering for an organizations Internet connection.
For this series of post the organization Internet architecture consist of the following equipment.
One Cisco IOS router
Serial (s0/0) Interface connecting a T-1 to the Internet
Ethernet (e0/0) Interface connecting to firewall outside interface
One Cisco ASA firewall
For a review of network ingress filtering review RFC 2827.
To properly implement ingress filtering begin by determining addresses currently allocated by IANA. To review the current address spaces allocated review the IANA website by following this link:
http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml
Review the list and note every prefix whose status is either unallocated or reserve. The unallocated status is for prefix's that IANA has not issued. The reserved status is for prefixes reserved for various reasons such as being used in RFC 1918 private address, multicast networks, research networks, etc. These prefixes have no legitimate reason for being routed on the Internet, and if seen entering the organization should be dropped.
With the list of prefix's to be dropped the next step is to build the access control list (ACL). Before building the ACL it is important to understand which traffic direction the list will be applied to.
Since the filtering decision is based only on address space simple IP ACL will be used. To create the ACL type these commands in:
inetrtr01(config)#access-list 10 deny 5.0.0.0 255.0.0.0
inetrtr01(config)#access-list 10 deny 10.0.0.0 255.0.0.0
inetrtr01(config)#access-list 10 deny 14.0.0.0 255.0.0.0
.
input omitted
.
inetrtr01(config)##access-list 10 deny 253.0.0.0 255.0.0.0
inetrtr01(config)#access-list 10 deny 254.0.0.0 255.0.0.0
inetrtr01(config)#access-list 10 deny 255.0.0.0 255.0.0.0
inetrtr01(config)#access-list 10 permit any any
The permit statement allows all traffic from valid prefix's to access the organization resources.
With the ACL built use the following commands to apply the ACL to the s0/0 interface
inetrtr01(config)#interface s0/0
inetrtr01(config-if)#ip access-group 10 in
Now test the ACL by sending traffic to the organization with spoofed source address of 10.0.0.1. After sending this traffic check the ACL and there should be hits on the line for 10.0.0.0/8 network. Once you are happy with the ACL save the configuration.
Congratulations you have now successfully implemented ingress filtering. Now all spoofed traffic from illegal sources will be dropped by the Internet router. Dropping this illegitimate traffic at the router reduces the workload on the firewall.
Next week I will cover egress filtering on the Internet router to ensure no spoofed traffic is leaving the organization.
For this series of post the organization Internet architecture consist of the following equipment.
One Cisco IOS router
Serial (s0/0) Interface connecting a T-1 to the Internet
Ethernet (e0/0) Interface connecting to firewall outside interface
One Cisco ASA firewall
For a review of network ingress filtering review RFC 2827.
To properly implement ingress filtering begin by determining addresses currently allocated by IANA. To review the current address spaces allocated review the IANA website by following this link:
http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml
Review the list and note every prefix whose status is either unallocated or reserve. The unallocated status is for prefix's that IANA has not issued. The reserved status is for prefixes reserved for various reasons such as being used in RFC 1918 private address, multicast networks, research networks, etc. These prefixes have no legitimate reason for being routed on the Internet, and if seen entering the organization should be dropped.
With the list of prefix's to be dropped the next step is to build the access control list (ACL). Before building the ACL it is important to understand which traffic direction the list will be applied to.
Since the filtering decision is based only on address space simple IP ACL will be used. To create the ACL type these commands in:
inetrtr01(config)#access-list 10 deny 5.0.0.0 255.0.0.0
inetrtr01(config)#access-list 10 deny 10.0.0.0 255.0.0.0
inetrtr01(config)#access-list 10 deny 14.0.0.0 255.0.0.0
.
input omitted
.
inetrtr01(config)##access-list 10 deny 253.0.0.0 255.0.0.0
inetrtr01(config)#access-list 10 deny 254.0.0.0 255.0.0.0
inetrtr01(config)#access-list 10 deny 255.0.0.0 255.0.0.0
inetrtr01(config)#access-list 10 permit any any
The permit statement allows all traffic from valid prefix's to access the organization resources.
With the ACL built use the following commands to apply the ACL to the s0/0 interface
inetrtr01(config)#interface s0/0
inetrtr01(config-if)#ip access-group 10 in
Now test the ACL by sending traffic to the organization with spoofed source address of 10.0.0.1. After sending this traffic check the ACL and there should be hits on the line for 10.0.0.0/8 network. Once you are happy with the ACL save the configuration.
Congratulations you have now successfully implemented ingress filtering. Now all spoofed traffic from illegal sources will be dropped by the Internet router. Dropping this illegitimate traffic at the router reduces the workload on the firewall.
Next week I will cover egress filtering on the Internet router to ensure no spoofed traffic is leaving the organization.
Sunday, February 7, 2010
Superbowl Weekend!
With the biggest football game on this weekend I am taking a break to enjoy the game!
Subscribe to:
Posts (Atom)